Post navigation

If it felt like the last year saw more and bigger data breaches than usual, well, that’s because it did.

2013 was a bumper year for data loss dominated by a handful of truly enormous breaches, according to a summary report from threat intelligence consultancy firm Risk Based Security (RBS).

In 2164 separate incidents, over 822 million records were exposed, nearly doubling the previous highest year on record (2011). Four of those breaches made the all-time top ten and almost half involved the loss of password data.

Hacking accounted for almost 60% of incidents, and over 70% of leaked records.

The RBS data is provided in collaboration with the Open Security Foundation, maintainer of the DataLossDB, which tracks data loss incidents around the world, scouring news for incident reports as well as probing government using Freedom of Information requests.

The data analysed includes all sorts of data loss, not just big hacking incidents, with small events involving fewer than 1000 leaked records making up more than half of 2013’s reports.

9.3% of the incidents are described as “physical” – for example, someone making off with a pile of paper files – but they contribute less than 0.1% of the leaked records, showing just how much more vulnerable computer-based records are to epic-scale theft and loss.

It’s the big breaches that really make the difference, with the Adobe breach rated the largest ever, leaking 152 million records and nudging a 2012 incident at a Chinese marketing firm into second place by a whisker.

Also making the top ten are the recent massive Target breach, in at number 5 exposing 110 million records, a flaw in a Pinterest API in March responsible for 70 million records lost, earning tenth place, and a rather mysterious event in South Korea in August which notched up 140 million sets of records of unknown origin, rating 3rd biggest ever.

South Korea got 2014 off to a strong start too of course, with the recent banking data heist notching up another 20 million leaked records.

Geographically, the US has by far the biggest share of pain, with over a thousand incidents, 48.7% of the total, and 66.5% of all lost records at over half a billion.

Within the US, the bulk of events took place in California, home to huge numbers of tech firms hosting data from around the world.

Second placed nation in terms of incidents is the UK, despite its small size and population, notching up 5.5% of all breaches reported. In records lost, South Korea takes second spot thanks almost entirely to that single monster incident.

All types of personal data have been leaked, with passwords involved in 47.8% of incidents, and names, user IDs and email addresses all leaked in around 40% of cases. The holy grail of data, the card number, was compromised in only 10.4% of incidents.

In terms of threat vectors, the majority (71.2%) are attributable to outside actors, rather higher than the all-time average of 63.2%, implying that we’re either getting worse at protecting our networks from compromise, or that more people are trying harder to get access to private data.

Hacking accounted for 59.75% of incidents and 72.05% of leaked records, while leaky websites and web applications were behind 4.76% of events and 16.86% of exposed data sets.

The study seems to show the insider threat to be much less severe than some may expect, with less than a third of all incidents down to insider activity – 9.4% malicious and 17.1% accidental.

This runs contrary to some other studies, such as a recent report from French IT management provider IS decisions which suggests that insiders represent the greater risk to organisations. Their survey-based data covers a range of smaller incident types though, such as passwords shared between employees, which would perhaps not merit inclusion in the RBS report.

Perhaps the most worrying part of the RBS study is the high number of repeat offenders. 260 of the 2013 incidents – more than 10% of the total – were organisations which had already suffered breaches in the past, with 60 reporting multiple incidents in 2013 and 28 racking up 10 or more incidents since data collection started in 2006.

Universities are the worst culprit in this area, with 565 repeat incidents. Scarily, financial institutions aren’t far behind with 391.